Facebook's $5 Billion Privacy Fine Almost Certainly Too High

Title

Facebook has faced intense criticism from lawmakers and regulators since last spring, when The Observer and The New York Times reported that data from over 50 million Facebook users had been harvested as part of Cambridge Analytica’s effort to influence American voters. After a year-long inquiry, in late July, the Federal Trade Commission voted to settle a complaint against Facebook for allegedly violating a 2012 FTC settlement that barred the company from misrepresenting the extent to which consumers can control the privacy of their information and how Facebook handles user data. The FTC accused Facebook of, among other things, misleading users about how to safeguard their data from third-party apps installed by their friends. Under the new settlement, if approved, Facebook faces a $5 billion civil penalty and a raft of new privacy and data security obligations.

This $5 billion penalty—a record for the FTC—has been criticized as too small to deter Facebook and other large tech companies from future wrongdoing. On closer examination, however, $5 billion is a remarkably high penalty under the circumstances, especially compared to the amount the government would have likely recovered had it litigated its complaint against Facebook. And it’s highly unlikely that Facebook earned anything close to $5 billion due to its alleged misconduct.

Facebook’s New FTC Settlement: Calculating the Penalty Amount

The FTC’s two Democratic commissioners, Rebecca Kelly Slaughter and Rohit Chopra, dissented from the settlement. They criticized both the amount of the civil penalty and the proposed injunction in separate dissenting statements. Regarding the $5 billion penalty, Commissioner Kelly Slaughter wrote that “[t]he negotiated civil penalty is insufficient under the applicable statutory factors [the FTC is] charged with weighing for order violators.” Commissioner Chopra went further, writing that “[t]he $5 billion penalty is less than Facebook’s exposure from its illegal conduct, given its financial gains.”

On the one hand, five billion dollars is a large sum of money, especially compared to civil penalties imposed in the past on firms that violated enforcement orders issued by the agency. Previously, the largest penalty for a violation of an order involving Section 5 of the FTC Act was $22.5 million, imposed against Google in 2012 for misleading users about how it tracked users of Apple’s Safari browser. On the other hand, Facebook is a huge company: in 2018, it brought in over $55 billion in global revenue, with $22 billion in net income.

How large a civil penalty can a company theoretically face for violating a final FTC order? Under Section 5(l) of the FTC Act, adjusted for inflation by Federal Civil Penalties Inflation Adjustment Act, the maximum civil penalty is $42,530 per violation, recoverable by the U.S. Attorney General. And if a company fails to “obey a final order” of the FTC, “each day of continuance of such failure” amounts to a separate violation.

For how long did Facebook allegedly violate the 2012 FTC consent order? According to the FTC’s 2019 complaint, in December 2012, Facebook violated the 2012 order when it removed a “disclaimer to its Privacy Settings page” warning users that “information shared with Facebook Friends could also be shared with the apps those Friends used.” Yet this information remained largely accessible to third-party developers until April 2015, when Facebook changed its app interface so that apps could no longer access data about its users’ friends. But a small number of apps, it seems, were exempt from this new rule. These whitelisted developers could continue to access app users’ friends’ data until June 2018.

About 2,000 days elapsed during this period from December 2012 to June 2018 when Facebook allegedly misled users about whether their data was accessible to third-party apps installed by their friends. At $42,530 per day, the maximum civil penalty owed by Facebook for this ongoing violation would amount to roughly $85 million.

If Facebook and FTC hadn’t settled, and the agency had proceeded to litigation against the company, how might a reviewing court have calculated Facebook’s civil penalty? The FTC (or the Department of Justice) might have urged the court to look beyond the duration of the violations, perhaps arguing that Facebook committed a separate violation of the 2012 order each time it allowed an application to access its users’ friends’ data—or even each time a user’s data was accessed by an application that the user had not installed. The FTC could have pointed to cases in which companies that sent a bulk mailing in violation of an FTC enforcement order were found to have committed a separate violation for each individual piece of mail unlawfully sent. E.g., United States v. Reader’s Digest Ass’n, Inc., 662 F.2d 955, 966 (3rd Cir. 1981).

But Facebook would have had a strong case that its platform-wide policy of allowing apps to access data about each user’s friends is very different from a distinct, tangible piece of mail with proper postage and a unique recipient address. Instead, Facebook’s alleged violation is much more akin to violations involving a single act by a company affected multiple consumers, such as when courts have imposed a penalty based on the number of days a company failed to obey an FTC order. E.g., Dep’t of Justice v. Daniel Chapter One, 89 F. Supp. 3d 132, 148 (D.D.C. 2015) (dietary supplement company committed an ongoing violation each day it mispresented products on a radio show also posted online).

Beyond Civil Penalties: Disgorgement and Restitution

Even if the FTC could not have obtained anything approaching $5 billion as a civil penalty through litigation, however, Commissioner Chopra notes that the agency can also obtain equitable relief from companies that violate Section 5 orders. For example, he writes, “if anything of value was taken from consumers, this value can be refunded or redressed. Similarly, if a company was able to generate revenue or profits through its illegal acts, the FTC can seek the forfeiture of these gains.”

Some courts disagree as to whether the FTC can obtain equitable relief from a Section 5 violator unless the FTC has either issued a rule covering the wrongful conduct or obtained a cease-and-desist order against the violator following an administrative adjudication. In August 2019, a panel of the U.S. Court of Appeals for the Seventh Circuit held that a key provision of the FTC Act often relied on by the agency to obtain equitable relief doesn’t actually authorize such relief. Other courts, however, share the FTC’s view.

For the sake of argument, though, let’s assume that Facebook could be held liable for restitution and disgorgement. To what extent did Facebook’s alleged violations of the 2012 consent order enrich the company? Here’s Commissioner Chopra:

The Commissioners supporting the proposed penalty do not cite any methodology or analysis on Facebook’s unjust enrichment from violating the Commission’s order. In my view, a rigorous analysis of unjust enrichment alone – which, notably, the Commission can seek without the assistance of the Attorney General – would likely yield a figure well above $5 billion. As described earlier, Facebook’s lawbreaking contributed directly to its drive for dominance and profits, especially in the mobile space. The gains it realized from this lawbreaking were likely massive, especially given the large number of users who may have opted out of sharing had they known how. This would have significantly affected Facebook’s value proposition to developers and shareholders.

Importantly, the 2012 FTC consent order didn’t bar Facebook from allowing an app to access data about its users’ friends. Rather, the order barred Facebook from misrepresenting “the extent to which a consumer can control the privacy” of her information shared on Facebook. From August 2012 to December 2012, Facebook posted a disclaimer “warning users that information shared with Facebook Friends could also be shared with the apps those Friends used.” The warning stated: “Remember: the people you share with can always share your information with others, including apps.” Facebook eliminated this disclaimer in December 2012.

How much did Facebook benefit financially from its alleged misrepresentations regarding third-party apps? Neither the dissenting statements, the FTC’s complaint, nor the stipulated order offer much detail. To estimate the amount, it would help to know the answers to these questions:

How did Facebook users’ lack of awareness that their data was accessible to apps installed by their friends affect these users’ decision to opt out of such sharing and, more broadly, their overall engagement with Facebook?

How much user information was accessed by Facebook apps that they wouldn’t have received had Facebook not eliminated its disclaimer about apps installed by friends?

How much additional revenue did Facebook generate from apps via increased ad revenue or in-app payments because apps could access data from users who would have opted out of sharing if the disclaimer had stayed up?

To what extent did Facebook’s overall value as a platform—including its ability to attract advertisers—grow because of how few users opted out of sharing their data with apps installed by their friends?

The FTC’s complaint notes that “[d]uring all times relevant to this Complaint, only a very low percentage of users opted out of this default setting.” Changing this default setting—buried deep in Facebook’s menus—made a user’s information inaccessible to apps installed by their friends. The complaint seems to say that the opt-out rate was very low even between August 2012 and December 2012, when Facebook displayed the disclaimer about apps’ data access? During those four months, how much more likely were users to opt out than they were when the disclaimer disappeared in December 2012?

Generally speaking, when it comes to privacy, only a small percentage of users who have the ability to opt out of information sharing actually do so, even when they aren’t misled about the privacy of their information. On the other hand, Commissioner Chopra’s dissent points out that upwards of 75 percent of Facebook users have enabled some sort of restrictive privacy setting on their profile, such as limited certain categories of information to “friends” or “friends of friends.” Still, the complaint seems to state that even when Facebook had a disclaimerwarning users about third-party apps, a “very low percentage” of users navigated to Facebook’s Apps Settings page and opted out of sharing data with apps installed by their friends.

Was this percentage so low because users didn’t see the disclaimer? Was opting out too complicated, given that it entailed navigating deep in Facebook’s settings? Or was the opt-out rate so low because most users simply didn’t care that some of their data was accessible to their friends’ apps? There are several plausible explanations for the very low opt-out rate, many of which don’t involve any alleged misrepresentations by Facebook.

How were Facebook’s revenues from December 2012 to June 2018 affected by the ability of third-party apps could access their users’ friends’ profiles? Apps generate revenue for Facebook in two principal ways: app purchases and advertising. Regarding app purchases, Facebook’s Payments service facilitates users making in-app purchases for premium content. App developers get a 70 percent cut of their sales; Facebook keeps the other 30 percent. From 2015 to 2017, Facebook generated between $711 million and $849 million of annual revenue in net fees collected globally from in-app purchases. In 2017, this amounted to about 1.75 percent of Facebook’s total revenue.

Facebook also makes money on apps via in-app advertising. Facebook’s Audience Network places ads inside mobile apps, and Facebook shares some of the resulting ad revenue with the app developer. Facebook reported generating $1 billion in net ad revenue from its Audience Network in the fourth quarter of 2015. In 2018, according to one estimate, Facebook’s Audience Network generated $4 billion during the year.

How Much Did Facebook Earn from Apps Because of Access to Users’ Friends?

We know that prior to April 2015—or, for whitelisted apps, before June 2018—apps had access to data about most of their users’ friends. And we know that apps have generated about $5 billion in annual revenue for Facebook through Payments and the Audience Network in recent years. But there’s still the question of how much additional revenue these apps generated for Facebook because they had access to their users’ friends’ data.

For some developers, having access to this data meant they could better target their ads to Facebook users. GSRApp, a Facebook app with 250,000 users, collected data on at least 50 million Americans who were friends with its 250,000 users. Cambridge Analytica used this data to create psychographic profiles of these 50 million users in hopes of better deciding which political ad to show each user. How did Facebook benefit? The platform made tens of millions of dollars from spending on political advertising during the 2016 U.S. presidential election. Some these campaign dollars might have flowed elsewhere had it not been for data mining fueled by apps that accumulated information on tens of millions of potential American voters.

But it’s far from clear whether advertisers harnessing user data from apps for targeting purposes—a violation of Facebook’s poorly enforced policies—was a widespread phenomenon from December 2012 to June 2018. After the Cambridge Analytica scandal made headlines in April 2018, advertisers upped their spending on Facebook ads. And presidential candidates competing in the 2020 Democratic primary spent about $38 million on Facebook ads as of August 2019—despite Facebook’s crackdown on apps misappropriating user data.

Another question mark is whether apps were accumulating and misusing data between April 2015 and June 2018, a period when only whitelisted developers could access their users’ friends’ data. It’s not clear whether Facebook benefited financially from allowing such access. For example, Facebook let Lyft access its users’ friends’ profiles because “Lyft wanted to show carpool riders their mutual friends as an ‘ice breaker,’ even if those friends were not using Lyft.” This certainly helped Lyft, but what about Facebook? Perhaps the firms’ close relationship resulted in Lyft spending more on Facebook ads. But it does not appear that whitelisted apps were monetizing their users’ friends data in a fashion similar to Cambridge Analytica.

From December 2012 to June 2018, roughly speaking, it seems that Facebook brought in $19 billion from apps, including both net fees from in-app Facebook Payments purchases ($700 million to $850 million annually) and net revenue from Facebook Audience Network advertising ($1 billion per quarter). If we assume that around 39 percent of Payments and Audience Network revenue during this period came from American users, Facebook generated about $7.4 billion in app-related revenue from users in the United States.

Imagine that one in four Facebook users would have opted out of allowing their friends’ apps to access their data but for Facebook’s alleged misrepresentations, including its removal of a disclaimer about such apps. And imagine that apps’ ability to access to this data accounted for 25 percent of in-app purchases and 25 percent of advertiser spending on in-app ads. Given these assumptions—which almost certainly overstate the actual figures—Facebook generated about $462.5 million in additional revenue from U.S. users due to its alleged misrepresentations about apps’ access to user data.

That’s a far cry from the $5 billion that Facebook will pay according to its 2019 settlement with the FTC. Even adding in $42,530 per day in civil penalties, or perhaps a multiple of this figure to account for the FTC’s allegations regarding two-factor authentication and facial-recognition technology, it’s hard to see how Facebook should face aggregate monetary liability approaching even $1 billion for the conduct alleged by the FTC in its July 2019 complaint.